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This report is confidential and is intended for use by the Directors of the ICO only. It forms part of our continuing dialogue with you. It should not be made available, in whole or in part, 
to any third party without our prior written consent. We do not accept responsibility for any reliance that third parties may place upon this report. Any third party relying on this report 
does so entirely at its own risk. We accept no liability to any third party for any loss or damage suffered or costs incurred, arising out of or in connection with the use of this report, 
however such loss or damage is caused. 


It is the responsibility solely of the ICO management to ensure that there are adequate arrangements in place in relation to risk management, governance and control. 
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1 Executive Summary 


1.1 Background 
Our review considered the ICO's arrangements for monitoring and 
implementing recommendations raised from internal audit reviews. 


1.2 Scope 

The Senior Corporate Governance Manager has the responsibility for 
monitoring progress of audit actions agreed with management. Progress, 
status and closure of audit actions are reported to the Audit Committee. 


There were no High recommendations made in the previous year which 
we would individually and separately follow up; we therefore examined a 
representative sample of the recommendations from the audit actions that 
were outstanding as at 1 April 2016 and have since been closed. We sought 
to confirm that for those audit actions closed, there is evidence to 
substantiate that the appropriate action has been put in place, and thus that 
it is right to close them. 


We focussed on the following sub risks: 


e Risks identified by Internal Audit reviews are not being appropriately 
mitigated and the ICO is exposure to risks that exceed the 
ofganisation’s appetite for those risks; 

e Insufficient evidence is retained to confirm the conclusion that the 
action is in place, leading to a duplication of work to confirm 
implementation, an inefficient use of ICO resources; and, 
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e Senior Management Team are misinformed of internal controls leading 
to poor management oversight of controls and potentially an Internal 
Audit plan that does not focus on the key risks. 


Further details on responsibilities, approach and scope are included in 


Appendix A. 


1.3 Overall assessment 
We have made an overall assessment of our findings as: 


Overall assessment 


Overall the ICO has an established process in place which provides 
sufficient oversight of audit actions and their progress. We have 
identified matters which, if resolved, will help management fulfil their 
responsibility to maintain a robust system of internal control. 


Refer to Appendix B for definitions of internal audit opinion and 
recommendation ratings. 


1.4 Key findings 


Risk / Process 


Mitigation of risks - - - 5 


Evidence of implementation - - 1 - 
Oversight from Senior Management - - - - 
Total - - 1 - 
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1.5 Controls identified 
During our review we confirmed that the following controls have 
continued to operate during 2016-17: 


e The Senior Corporate Governance Manager maintains a log of 
outstanding audit recommendations, which is presented to the Audit 
Committee at each meeting for discussion and challenge; 

e This log is available on the ICON system, to allow recommendation 
owners to view their outstanding recommendations, and they are 
reminded individually when updates are needed; 

e The log shows the due date for implementation of recommendations, 
as well as a forecast due date if this is expected to be different. An 
accompanying explanation is provided for any re-forecast due dates; 

e Implemented recommendations are recorded separately from ongoing 
recommendations to allow the Audit Committee to clearly focus on 
those which remain unactioned, but implemented recommendations 
do remain on the Register until the end of the financial year to which 
they relate; 

e A performance update is provided with the outstanding 
recommendations log to each Audit Committee meeting, giving 
oversight of the number of overdue recommendations; the Audit 
Committee has to approve (or formally accept) due date changes. 


1.6 Acknowledgement 


We would like to take this opportunity to thank the staff involved in for 
their co-operation during this internal audit. 
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2 Detailed Findings 


2.1 Evidence of implementation 


1. 


Supporting evidence for completed audit recommendations 


Finding and Implication 


Proposed action 


Agreed action (Date / Ownership) 


In order to provide assurance that recommendations have 
been implemented and diligence applied to ensure the control 
is adequate, we sampled a selection of closed audit 
recommendations and requested evidence of their 
implementation. Our review covered nine recommendations 
and we found evidence was not available for one of these 
recommendations. 


Furthermore, the Senior Corporate Governance Officer does 
not maintain a folder to substantiate the closing of audit 
recommendations, which would also assist in any future follow 
up review. Instead, evidence must be gathered again from the 
action owner, which means that evidence relates to the point 
in time when it is being collected, rather than necessarily 
relating to the point in time when the action was identified as 
closed. It thus confirms that the action may have been 
completed at the time of our follow-up, but — depending on the 
action required - not necessarily at the (historic) due date of 
the action. 


Audit recommendations which have not been adequately 
actioned could be signed off, giving management the false 
impression that the risk they had been exposed to has been 
mitigated effectively. 


Where possible, the Senior Corporate 
Governance Manager should obtain 
supporting evidence from recommendation 
owners that supports and confirms that 
recommendations have been implemented, 
and meet the requirements of the agreed 
action. 


In circumstances where evidence is 
unavailable due to the tangibility of the action, 
a discussion should be had with the owner to 
confirm the position. An email outlining the 
justification for closure should be obtained. 


Action Agreed. 
Date Effective: 07/03/17 


Owner: Peter Bloomfield 
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A Internal audit approach 


Approach 

Our role as internal auditor to a Public Body is to provide an independent 
and objective opinion to the Accounting Officer on risk management, 
control and governance processes, by measuring and evaluating their 
effectiveness in achieving the organisation's agreed strategic objectives. 


Our audit was carried out in accordance with the guidance contained 
within the Government’s Public Sector IAS of 2013 and the Auditing 
Practices Board’s “Guidance for Internal Auditors’. We also had regard to 
the Institute of Internal Auditors’ guidance on risk based internal auditing 
(2005). In addition, we comply in all material respects with other 
Government guidance applicable to Public Bodies and have had regard to 
the HM Treasury guidelines on effective risk management (the ‘Orange 
Book’). 


As part of the 2016-17 Internal Audit Plan, we have agreed with 
management and the Audit Committee to undertake a follow up of audit 
recommendations. 


Responsibilities 

The Information Commissioner acts through her Board of Management 
and the Information Commissioner's Office ("ICO") discharges his 
obligations. Therefore, references to the Information Commissioner and 
the ICO in this report relate to one and the same party. 


It is the responsibility of the Information Commissioner to ensure that the 


ICO has adequate and effective risk management, control and governance 
processes. 
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HM Treasury's Corporate Governance in Central Government 
Departments (2011) states that boards of Public Bodies should determine 
the nature and extent of the significant risks it is willing to take in 
achieving its strategic objectives. The Board should therefore maintain 
sound risk management and internal control systems and should establish 
formal and transparent arrangements for considering how they should 
apply the corporate reporting and risk management and internal control 
principles and for maintaining an appropriate relationship with the 
organisation's auditors. 


Please refer to our letter of engagement for full details of responsibilities 
and other terms and conditions. 


Scope 
Our review focused on the following risks: 


e Risks identified by Internal Audit reviews are not being appropriately 
mitigated and the ICO is exposure to risks that exceed the 
organisation’s appetite for those risks; 

e Insufficient evidence is retained to confirm the conclusion that the 
action is in place, leading to a duplication of work to confirm 
implementation, an inefficient use of ICO resources; and, 

e Senior Management Team are misinformed of internal controls leading 
to poor management oversight of controls and potentially an Internal 
Audit plan that does not focus on the key risks. 
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Additional information 
Client staff 
The following staff were consulted as part of this review: 


e Peter Bloomfield — Senior Corporate Governance Manager 
e Sally Hanson — Head of Finance (Interim). 


Documents received 
The following documents were received during the course of this audit: 


e Audit recommendation log 

e Evidence to support the sample of recommendations reported to the 
Audit Committee as implemented 

e Progress of audit findings provided by Senior Corporate Governance 
Manager. 


Locations 
We visited The Information Commissioner's Office, Wilmslow for this 
review. 
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B Definition of overall assessment internal audit ratings 


Overall assessment 


Rating Description 


Following agreement of the nature and significance of individual issues with management, in our view this report contains matters which should be 
raised with Senior Management and the Audit Committee at the earliest opportunity. 


Following agreement of the nature and significance of individual issues with management, in our view this report contains matters which require the 
attention of management to resolve and report on progress in line with current follow up processes. 


We have identified matters which, if resolved, will help management fulfil their responsibility to maintain a robust system of internal control. 


Audit issue rating 
Within each report, every audit issue is given a rating. This is summarised in the table below. 


Rating Description Features 


Key control not designed or operating effectively 

Potential for fraud identified 

Non compliance with key procedures / standards 

Non compliance with regulation 

Impact is contained within the department and compensating 

controls would detect errors 

e Possibility for fraud exists 

e Control failures identified but not in key controls 

e Non compliance with procedures / standards (but not resulting in key 
control failure) 

e Minor control weakness 

e Minor non compliance with procedures / standards 

e Information for department management 

e Control operating but not necessarily in accordance with best 

practice 


Findings that are fundamental to the management of risk in the business 
area, representing a weakness in control that requires the immediate 
attention of management 


Important findings that are to be resolved by line management. 


Findings that identify non-compliance with established procedures. 


Items requiring no action but which may be of interest to management or 
best practice advice 
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